9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe
Size

314KB
MD5

58b95345f410185e54c32e190c9eec43
SHA1

9701ba8e61703060043ba816f4b6fb8ad73b76b2
SHA256

9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b
SHA512

41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd
SSDEEP

6144:Z0NtY63xjxc2CiyOyo95ULe2dp8f20xzpIdWO9WbVXfP6do6skevD:Z0PYKxOhooLe2DMIdd9WxfPqo6fevD

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 45 IoCs

pid	Process
2892	asferror.exe
4792	aadauthhelper.exe
5028	AboveLockAppHost.exe
5020	ActivationManager.exe
2304	AarSvc.exe
2928	ActionCenterCPL.exe
2180	amstream.exe
1928	AnalogCommonProxyStub.exe
224	AcGenral.exe
4240	AcSpecfc.exe
4820	AboveLockAppHost.exe
4472	acledit.exe
4704	audiodev.exe
4740	accessibilitycpl.exe
3148	adprovider.exe
1992	AppxPackaging.exe
4880	AcGenral.exe
2796	AppInstallerPrompt.Desktop.exe
3356	advapi32.exe
2400	ActionCenterCPL.exe
2808	AcXtrnal.exe
2184	AcSpecfc.exe
4160	aeevts.exe
1600	acledit.exe
3720	adsldp.exe
4960	aadauthhelper.exe
4172	aclui.exe
700	AarSvc.exe
4996	acppage.exe
1656	archiveint.exe
4984	accountaccessor.exe
644	aadauthhelper.exe
1764	accessibilitycpl.exe
2352	AboveLockAppHost.exe
404	accountaccessor.exe
3796	aadauthhelper.exe
3924	acledit.exe
4280	aclui.exe
3144	AppIdPolicyEngineApi.exe
2424	ActivationClient.exe
1120	acledit.exe
392	AcLayers.exe
3092	advapi32res.exe
4880	AppIdPolicyEngineApi.exe
956	advapi32res.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2796	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smwcore = "C:\\Windows\\system32\\advapi32res.exe"	advapi32res.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AcGenral.exe	AnalogCommonProxyStub.exe
File created	C:\Windows\SysWOW64\AcSpecfc.exe	AcGenral.exe
File opened for modification	C:\Windows\SysWOW64\aclui.exe	aadauthhelper.exe
File opened for modification	C:\Windows\SysWOW64\AarSvc.exe	aclui.exe
File opened for modification	C:\Windows\SysWOW64\AarSvc.exe	ActivationManager.exe
File opened for modification	C:\Windows\SysWOW64\accessibilitycpl.exe	audiodev.exe
File created	C:\Windows\SysWOW64\adsldp.exe	acledit.exe
File opened for modification	C:\Windows\SysWOW64\adsldp.exe	acledit.exe
File created	C:\Windows\SysWOW64\advapi32.exe	AppInstallerPrompt.Desktop.exe
File opened for modification	C:\Windows\SysWOW64\AcXtrnal.exe	ActionCenterCPL.exe
File created	C:\Windows\SysWOW64\accountaccessor.exe	AboveLockAppHost.exe
File opened for modification	C:\Windows\SysWOW64\ActivationClient.exe	AppIdPolicyEngineApi.exe
File created	C:\Windows\SysWOW64\advapi32res.nls	advapi32res.exe
File created	C:\Windows\SysWOW64\asferror.exe	9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe
File created	C:\Windows\SysWOW64\amstream.exe	ActionCenterCPL.exe
File opened for modification	C:\Windows\SysWOW64\AnalogCommonProxyStub.exe	amstream.exe
File opened for modification	C:\Windows\SysWOW64\AboveLockAppHost.exe	AcSpecfc.exe
File opened for modification	C:\Windows\SysWOW64\adprovider.exe	accessibilitycpl.exe
File created	C:\Windows\SysWOW64\aeevts.exe	AcSpecfc.exe
File opened for modification	C:\Windows\SysWOW64\archiveint.exe	acppage.exe
File opened for modification	C:\Windows\SysWOW64\aadauthhelper.exe	accountaccessor.exe
File created	C:\Windows\SysWOW64\acledit.exe	aadauthhelper.exe
File opened for modification	C:\Windows\SysWOW64\advapi32res.exe	AcLayers.exe
File created	C:\Windows\SysWOW64\ActionCenterCPL.exe	AarSvc.exe
File created	C:\Windows\SysWOW64\AcXtrnal.exe	ActionCenterCPL.exe
File opened for modification	C:\Windows\SysWOW64\accessibilitycpl.exe	aadauthhelper.exe
File created	C:\Windows\SysWOW64\advapi32res.exe	AcLayers.exe
File created	C:\Windows\SysWOW64\acledit.exe	AboveLockAppHost.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.exe	audiodev.exe
File created	C:\Windows\SysWOW64\ActionCenterCPL.exe	advapi32.exe
File created	C:\Windows\SysWOW64\aadauthhelper.exe	adsldp.exe
File created	C:\Windows\SysWOW64\AboveLockAppHost.exe	accessibilitycpl.exe
File opened for modification	C:\Windows\SysWOW64\acledit.exe	aadauthhelper.exe
File created	C:\Windows\SysWOW64\ActivationClient.exe	AppIdPolicyEngineApi.exe
File created	C:\Windows\SysWOW64\acledit.exe	ActivationClient.exe
File created	C:\Windows\SysWOW64\AcLayers.exe	acledit.exe
File opened for modification	C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe	advapi32res.exe
File opened for modification	C:\Windows\SysWOW64\ActionCenterCPL.exe	AarSvc.exe
File opened for modification	C:\Windows\SysWOW64\acledit.exe	AboveLockAppHost.exe
File opened for modification	C:\Windows\SysWOW64\ActionCenterCPL.exe	advapi32.exe
File opened for modification	C:\Windows\SysWOW64\accountaccessor.exe	archiveint.exe
File opened for modification	C:\Windows\SysWOW64\AboveLockAppHost.exe	accessibilitycpl.exe
File created	C:\Windows\SysWOW64\aclui.exe	acledit.exe
File created	C:\Windows\SysWOW64\adprovider.exe	accessibilitycpl.exe
File created	C:\Windows\SysWOW64\archiveint.exe	acppage.exe
File created	C:\Windows\SysWOW64\aadauthhelper.exe	accountaccessor.exe
File created	C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe	advapi32res.exe
File opened for modification	C:\Windows\SysWOW64\asferror.exe	9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe
File opened for modification	C:\Windows\SysWOW64\amstream.exe	ActionCenterCPL.exe
File created	C:\Windows\SysWOW64\AnalogCommonProxyStub.exe	amstream.exe
File created	C:\Windows\SysWOW64\AcSpecfc.exe	AcXtrnal.exe
File created	C:\Windows\SysWOW64\acledit.exe	aeevts.exe
File opened for modification	C:\Windows\SysWOW64\aadauthhelper.exe	adsldp.exe
File created	C:\Windows\SysWOW64\AarSvc.exe	aclui.exe
File created	C:\Windows\SysWOW64\accountaccessor.exe	archiveint.exe
File opened for modification	C:\Windows\SysWOW64\AcSpecfc.exe	AcGenral.exe
File created	C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe	AcGenral.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.exe	AppInstallerPrompt.Desktop.exe
File opened for modification	C:\Windows\SysWOW64\acledit.exe	aeevts.exe
File created	C:\Windows\SysWOW64\aadauthhelper.exe	accountaccessor.exe
File created	C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe	aclui.exe
File created	C:\Windows\SysWOW64\AarSvc.exe	ActivationManager.exe
File created	C:\Windows\SysWOW64\accessibilitycpl.exe	aadauthhelper.exe
File opened for modification	C:\Windows\SysWOW64\aclui.exe	acledit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe
3092	advapi32res.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe
Token: SeDebugPrivilege	2892	asferror.exe
Token: SeDebugPrivilege	4792	aadauthhelper.exe
Token: SeDebugPrivilege	5028	AboveLockAppHost.exe
Token: SeDebugPrivilege	5020	ActivationManager.exe
Token: SeDebugPrivilege	2304	AarSvc.exe
Token: SeDebugPrivilege	2928	ActionCenterCPL.exe
Token: SeDebugPrivilege	2180	amstream.exe
Token: SeDebugPrivilege	1928	AnalogCommonProxyStub.exe
Token: SeDebugPrivilege	224	AcGenral.exe
Token: SeDebugPrivilege	4240	AcSpecfc.exe
Token: SeDebugPrivilege	4820	AboveLockAppHost.exe
Token: SeDebugPrivilege	4472	acledit.exe
Token: SeDebugPrivilege	4704	audiodev.exe
Token: SeDebugPrivilege	4740	accessibilitycpl.exe
Token: SeDebugPrivilege	3148	adprovider.exe
Token: SeDebugPrivilege	1992	AppxPackaging.exe
Token: SeDebugPrivilege	4880	AcGenral.exe
Token: SeDebugPrivilege	2796	AppInstallerPrompt.Desktop.exe
Token: SeDebugPrivilege	3356	advapi32.exe
Token: SeDebugPrivilege	2400	ActionCenterCPL.exe
Token: SeDebugPrivilege	2808	AcXtrnal.exe
Token: SeDebugPrivilege	2184	AcSpecfc.exe
Token: SeDebugPrivilege	4160	aeevts.exe
Token: SeDebugPrivilege	1600	acledit.exe
Token: SeDebugPrivilege	3720	adsldp.exe
Token: SeDebugPrivilege	4960	aadauthhelper.exe
Token: SeDebugPrivilege	4172	aclui.exe
Token: SeDebugPrivilege	700	AarSvc.exe
Token: SeDebugPrivilege	4996	acppage.exe
Token: SeDebugPrivilege	1656	archiveint.exe
Token: SeDebugPrivilege	4984	accountaccessor.exe
Token: SeDebugPrivilege	644	aadauthhelper.exe
Token: SeDebugPrivilege	1764	accessibilitycpl.exe
Token: SeDebugPrivilege	2352	AboveLockAppHost.exe
Token: SeDebugPrivilege	404	accountaccessor.exe
Token: SeDebugPrivilege	3796	aadauthhelper.exe
Token: SeDebugPrivilege	3924	acledit.exe
Token: SeDebugPrivilege	4280	aclui.exe
Token: SeDebugPrivilege	3144	AppIdPolicyEngineApi.exe
Token: SeDebugPrivilege	2424	ActivationClient.exe
Token: SeDebugPrivilege	1120	acledit.exe
Token: SeDebugPrivilege	392	AcLayers.exe
Token: SeDebugPrivilege	3092	advapi32res.exe
Token: SeDebugPrivilege	4880	AppIdPolicyEngineApi.exe
Token: SeDebugPrivilege	956	advapi32res.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2892	904	9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe	78
PID 904 wrote to memory of 2892	904	9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe	78
PID 904 wrote to memory of 2892	904	9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe	78
PID 2892 wrote to memory of 4792	2892	asferror.exe	79
PID 2892 wrote to memory of 4792	2892	asferror.exe	79
PID 2892 wrote to memory of 4792	2892	asferror.exe	79
PID 4792 wrote to memory of 5028	4792	aadauthhelper.exe	80
PID 4792 wrote to memory of 5028	4792	aadauthhelper.exe	80
PID 4792 wrote to memory of 5028	4792	aadauthhelper.exe	80
PID 5028 wrote to memory of 5020	5028	AboveLockAppHost.exe	81
PID 5028 wrote to memory of 5020	5028	AboveLockAppHost.exe	81
PID 5028 wrote to memory of 5020	5028	AboveLockAppHost.exe	81
PID 5020 wrote to memory of 2304	5020	ActivationManager.exe	82
PID 5020 wrote to memory of 2304	5020	ActivationManager.exe	82
PID 5020 wrote to memory of 2304	5020	ActivationManager.exe	82
PID 2304 wrote to memory of 2928	2304	AarSvc.exe	83
PID 2304 wrote to memory of 2928	2304	AarSvc.exe	83
PID 2304 wrote to memory of 2928	2304	AarSvc.exe	83
PID 2928 wrote to memory of 2180	2928	ActionCenterCPL.exe	84
PID 2928 wrote to memory of 2180	2928	ActionCenterCPL.exe	84
PID 2928 wrote to memory of 2180	2928	ActionCenterCPL.exe	84
PID 2180 wrote to memory of 1928	2180	amstream.exe	85
PID 2180 wrote to memory of 1928	2180	amstream.exe	85
PID 2180 wrote to memory of 1928	2180	amstream.exe	85
PID 1928 wrote to memory of 224	1928	AnalogCommonProxyStub.exe	86
PID 1928 wrote to memory of 224	1928	AnalogCommonProxyStub.exe	86
PID 1928 wrote to memory of 224	1928	AnalogCommonProxyStub.exe	86
PID 224 wrote to memory of 4240	224	AcGenral.exe	87
PID 224 wrote to memory of 4240	224	AcGenral.exe	87
PID 224 wrote to memory of 4240	224	AcGenral.exe	87
PID 4240 wrote to memory of 4820	4240	AcSpecfc.exe	88
PID 4240 wrote to memory of 4820	4240	AcSpecfc.exe	88
PID 4240 wrote to memory of 4820	4240	AcSpecfc.exe	88
PID 4820 wrote to memory of 4472	4820	AboveLockAppHost.exe	89
PID 4820 wrote to memory of 4472	4820	AboveLockAppHost.exe	89
PID 4820 wrote to memory of 4472	4820	AboveLockAppHost.exe	89
PID 4472 wrote to memory of 4704	4472	acledit.exe	90
PID 4472 wrote to memory of 4704	4472	acledit.exe	90
PID 4472 wrote to memory of 4704	4472	acledit.exe	90
PID 4704 wrote to memory of 4740	4704	audiodev.exe	91
PID 4704 wrote to memory of 4740	4704	audiodev.exe	91
PID 4704 wrote to memory of 4740	4704	audiodev.exe	91
PID 4740 wrote to memory of 3148	4740	accessibilitycpl.exe	92
PID 4740 wrote to memory of 3148	4740	accessibilitycpl.exe	92
PID 4740 wrote to memory of 3148	4740	accessibilitycpl.exe	92
PID 3148 wrote to memory of 1992	3148	adprovider.exe	93
PID 3148 wrote to memory of 1992	3148	adprovider.exe	93
PID 3148 wrote to memory of 1992	3148	adprovider.exe	93
PID 1992 wrote to memory of 4880	1992	AppxPackaging.exe	94
PID 1992 wrote to memory of 4880	1992	AppxPackaging.exe	94
PID 1992 wrote to memory of 4880	1992	AppxPackaging.exe	94
PID 4880 wrote to memory of 2796	4880	AcGenral.exe	95
PID 4880 wrote to memory of 2796	4880	AcGenral.exe	95
PID 4880 wrote to memory of 2796	4880	AcGenral.exe	95
PID 2796 wrote to memory of 3356	2796	AppInstallerPrompt.Desktop.exe	96
PID 2796 wrote to memory of 3356	2796	AppInstallerPrompt.Desktop.exe	96
PID 2796 wrote to memory of 3356	2796	AppInstallerPrompt.Desktop.exe	96
PID 3356 wrote to memory of 2400	3356	advapi32.exe	97
PID 3356 wrote to memory of 2400	3356	advapi32.exe	97
PID 3356 wrote to memory of 2400	3356	advapi32.exe	97
PID 2400 wrote to memory of 2808	2400	ActionCenterCPL.exe	98
PID 2400 wrote to memory of 2808	2400	ActionCenterCPL.exe	98
PID 2400 wrote to memory of 2808	2400	ActionCenterCPL.exe	98
PID 2808 wrote to memory of 2184	2808	AcXtrnal.exe	99

C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe
"C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\asferror.exe
  C:\Windows\system32\asferror.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\aadauthhelper.exe
    C:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\AboveLockAppHost.exe
      C:\Windows\system32\AboveLockAppHost.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\SysWOW64\ActivationManager.exe
        
        C:\Windows\system32\ActivationManager.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\AarSvc.exe
        
        C:\Windows\system32\AarSvc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\ActionCenterCPL.exe
        
        C:\Windows\system32\ActionCenterCPL.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\amstream.exe
        
        C:\Windows\system32\amstream.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\AnalogCommonProxyStub.exe
        
        C:\Windows\system32\AnalogCommonProxyStub.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\AcGenral.exe
        
        C:\Windows\system32\AcGenral.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\AcSpecfc.exe
        
        C:\Windows\system32\AcSpecfc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\AboveLockAppHost.exe
        
        C:\Windows\system32\AboveLockAppHost.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\audiodev.exe
        
        C:\Windows\system32\audiodev.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\system32\accessibilitycpl.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\adprovider.exe
        
        C:\Windows\system32\adprovider.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\AppxPackaging.exe
        
        C:\Windows\system32\AppxPackaging.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\AcGenral.exe
        
        C:\Windows\system32\AcGenral.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe
        
        C:\Windows\system32\AppInstallerPrompt.Desktop.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\advapi32.exe
        
        C:\Windows\system32\advapi32.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\ActionCenterCPL.exe
        
        C:\Windows\system32\ActionCenterCPL.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\AcXtrnal.exe
        
        C:\Windows\system32\AcXtrnal.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\AcSpecfc.exe
        
        C:\Windows\system32\AcSpecfc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\SysWOW64\aeevts.exe
        
        C:\Windows\system32\aeevts.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\SysWOW64\adsldp.exe
        
        C:\Windows\system32\adsldp.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Windows\SysWOW64\aadauthhelper.exe
        
        C:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
        
        C:\Windows\SysWOW64\AarSvc.exe
        
        C:\Windows\system32\AarSvc.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\SysWOW64\acppage.exe
        
        C:\Windows\system32\acppage.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\SysWOW64\archiveint.exe
        
        C:\Windows\system32\archiveint.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\SysWOW64\accountaccessor.exe
        
        C:\Windows\system32\accountaccessor.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\SysWOW64\aadauthhelper.exe
        
        C:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
        
        C:\Windows\SysWOW64\accessibilitycpl.exe
        
        C:\Windows\system32\accessibilitycpl.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\SysWOW64\AboveLockAppHost.exe
        
        C:\Windows\system32\AboveLockAppHost.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\SysWOW64\accountaccessor.exe
        
        C:\Windows\system32\accountaccessor.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SysWOW64\aadauthhelper.exe
        
        C:\Windows\system32\aadauthhelper.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
        
        C:\Windows\SysWOW64\aclui.exe
        
        C:\Windows\system32\aclui.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe
        
        C:\Windows\system32\AppIdPolicyEngineApi.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
        
        C:\Windows\SysWOW64\ActivationClient.exe
        
        C:\Windows\system32\ActivationClient.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\SysWOW64\acledit.exe
        
        C:\Windows\system32\acledit.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\SysWOW64\AcLayers.exe
        
        C:\Windows\system32\AcLayers.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\SysWOW64\advapi32res.exe
        
        C:\Windows\system32\advapi32res.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m392:C:\Windows\SysWOW64\AcLayers.exe -sC:\Windows\system32
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe
        
        C:\Windows\system32\AppIdPolicyEngineApi.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m392:C:\Windows\SysWOW64\AcLayers.exe -sC:\Windows\system32 -m3092:C:\Windows\SysWOW64\advapi32res.exe -sC:\Windows\system32
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Windows\SysWOW64\advapi32res.exe" enable
        45⤵
        Modifies Windows Firewall
        
        PID:2796
        
        C:\Windows\SysWOW64\advapi32res.exe
        
        C:\Windows\SysWOW64\advapi32res.exe -m904:C:\Users\Admin\AppData\Local\Temp\9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b.exe -sC:\Windows\system32 -m2892:C:\Windows\SysWOW64\asferror.exe -sC:\Windows\system32 -m4792:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m5028:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m5020:C:\Windows\SysWOW64\ActivationManager.exe -sC:\Windows\system32 -m2304:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m2928:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2180:C:\Windows\SysWOW64\amstream.exe -sC:\Windows\system32 -m1928:C:\Windows\SysWOW64\AnalogCommonProxyStub.exe -sC:\Windows\system32 -m224:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m4240:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4820:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m4472:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4704:C:\Windows\SysWOW64\audiodev.exe -sC:\Windows\system32 -m4740:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m3148:C:\Windows\SysWOW64\adprovider.exe -sC:\Windows\system32 -m1992:C:\Windows\SysWOW64\AppxPackaging.exe -sC:\Windows\system32 -m4880:C:\Windows\SysWOW64\AcGenral.exe -sC:\Windows\system32 -m2796:C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe -sC:\Windows\system32 -m3356:C:\Windows\SysWOW64\advapi32.exe -sC:\Windows\system32 -m2400:C:\Windows\SysWOW64\ActionCenterCPL.exe -sC:\Windows\system32 -m2808:C:\Windows\SysWOW64\AcXtrnal.exe -sC:\Windows\system32 -m2184:C:\Windows\SysWOW64\AcSpecfc.exe -sC:\Windows\system32 -m4160:C:\Windows\SysWOW64\aeevts.exe -sC:\Windows\system32 -m1600:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m3720:C:\Windows\SysWOW64\adsldp.exe -sC:\Windows\system32 -m4960:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m4172:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m700:C:\Windows\SysWOW64\AarSvc.exe -sC:\Windows\system32 -m4996:C:\Windows\SysWOW64\acppage.exe -sC:\Windows\system32 -m1656:C:\Windows\SysWOW64\archiveint.exe -sC:\Windows\system32 -m4984:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m644:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m1764:C:\Windows\SysWOW64\accessibilitycpl.exe -sC:\Windows\system32 -m2352:C:\Windows\SysWOW64\AboveLockAppHost.exe -sC:\Windows\system32 -m404:C:\Windows\SysWOW64\accountaccessor.exe -sC:\Windows\system32 -m3796:C:\Windows\SysWOW64\aadauthhelper.exe -sC:\Windows\system32 -m3924:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m4280:C:\Windows\SysWOW64\aclui.exe -sC:\Windows\system32 -m3144:C:\Windows\SysWOW64\AppIdPolicyEngineApi.exe -sC:\Windows\system32 -m2424:C:\Windows\SysWOW64\ActivationClient.exe -sC:\Windows\system32 -m1120:C:\Windows\SysWOW64\acledit.exe -sC:\Windows\system32 -m392:C:\Windows\SysWOW64\AcLayers.exe -sC:\Windows\system32 -w3092
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AarSvc.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AarSvc.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AarSvc.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AarSvc.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AboveLockAppHost.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AboveLockAppHost.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AboveLockAppHost.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AboveLockAppHost.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcGenral.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcGenral.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcGenral.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcGenral.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcSpecfc.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcSpecfc.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcSpecfc.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcSpecfc.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcXtrnal.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AcXtrnal.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\ActionCenterCPL.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\ActionCenterCPL.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\ActionCenterCPL.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\ActionCenterCPL.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\ActivationManager.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\ActivationManager.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AnalogCommonProxyStub.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AnalogCommonProxyStub.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AppInstallerPrompt.Desktop.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AppxPackaging.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\AppxPackaging.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aadauthhelper.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\accessibilitycpl.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\accountaccessor.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\accountaccessor.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\acledit.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\acledit.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\acledit.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\acledit.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aclui.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aclui.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\acppage.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\acppage.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\adprovider.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\adprovider.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\adsldp.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\adsldp.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\advapi32.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\advapi32.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aeevts.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\aeevts.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\amstream.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\amstream.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\archiveint.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\archiveint.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\asferror.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\asferror.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\audiodev.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
C:\Windows\SysWOW64\audiodev.exe

Filesize
314KB

MD5
58b95345f410185e54c32e190c9eec43

SHA1
9701ba8e61703060043ba816f4b6fb8ad73b76b2

SHA256
9611cbc061bec0a78cacfbc2ae758ec390d4e44da89819894a4c3a1b1b4a9a2b

SHA512
41caca575d396ffa7842d83f7a87ac727f186efcddb6fe6f178f129cfe3e10392074524d4199627e7133d7be783845ef134ed6bd4d78dd9ea62bb283bbe6fddd

Download Submit
memory/224-186-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/404-330-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/404-326-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/404-325-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/644-315-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/700-297-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/904-140-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/904-132-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/904-133-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1600-273-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1600-266-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1600-265-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1656-308-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1764-321-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1764-317-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1764-316-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1928-185-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1928-180-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1928-179-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1992-229-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2180-178-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2184-257-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2304-168-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2304-163-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2352-324-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2400-250-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2796-236-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2808-251-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2808-256-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2892-145-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2892-139-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2892-138-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2928-169-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3148-225-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3148-219-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3356-241-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3720-274-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3796-329-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3796-333-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4160-267-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4172-290-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4172-284-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4172-283-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4240-196-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4280-336-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4472-202-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4472-214-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4704-211-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4740-212-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4740-220-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4792-150-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4820-213-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4820-194-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4820-195-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4880-235-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4960-285-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4984-307-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4984-318-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4996-295-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4996-296-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4996-302-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5020-162-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5028-157-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5028-151-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/5028-152-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download